Progressive and distributed regulation of selected network traffic destined for a network node

ABSTRACT

An apparatus is equipped to receive network traffic data for network traffic routed through a number of routing devices with one or more degrees of separation from a network node. The network traffic data include at least network traffic data for network traffic destined for the network node which meet a traffic type selection criteria and are routed by the routing devices to the network node. The apparatus is further equipped to progressively regulate and de-regulate network traffic routing by the routing devices based at least in part on the received network traffic data and the degrees of separation of the routing devices from the network node. Regulation extends from routing devices with the lowest degree of separation from the network node to routing devices with the highest degree of separation, following in the reverse direction of the routing paths traversed by the packets to reach the network node. In one embodiment, the extension or push back is made one degree of separation at a time. In one embodiment, deregulation follows the reverse path, whereas in another embodiment, deregulation is determined and implemented locally, whenever regulation or the extent of regulation is no longer needed. In one embodiment, regulation is made in accordance with a not-to-exceed profile, and the not-to-exceed limit or limits are divided up as regulation extends away from the network node.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to the field of networking. Morespecifically, the present invention relates to the regulation of routingdevices for a network node, including progressive and distributedregulation of selected network traffic destined for the network node.

2. Background Information

With advances in integrated circuit, microprocessor, networking andcommunication technologies, increasing number of devices, in particular,digital computing devices, are being networked together. Devices areoften first coupled to a local area network, such as an Ethernet basedoffice/home network. In turn the local area networks are interconnectedtogether through wide area networks, such as ATM networks, Frame Relays,and the like. Of particular notoriety is the TCP/IP based globalinter-networks, Internet.

As a result this trend of increased connectivity, increasing number ofapplications that are network dependent are being deployed. Examples ofthese network dependent applications include but are not limited to,email, net based telephony, world wide web and various types ofe-commerce. For these applications, success inherently means high volumeof network traffic for their implementing servers. To ensure continuingsuccess, quality of service through orderly and efficient handling ofthe large volume of network traffic has become of paramount importance.Various subject matters, such as scalability, distributive deploymentand caching of contents as well as regulating network traffic destinedfor a network node have become of great interest to the artesian.

SUMMARY OF THE INVENTION

The present invention provides for a method and apparatus for regulatingnetwork traffic destined for a network node, such as a server, tofacilitate ensuring the quality of service provided by the network tothe network node and the parties interacting with it, such as a client.More specifically, the present invention provides for a progressive anddistributed approach to regulating selected network traffic destined forthe network node at those regions of the network where the selectedtraffic exceeds a desired amount. The present invention may also be usedto block selected network traffic destined for a network node, therebyprotecting the network node from denial of service attacks.

In accordance with the present invention, an apparatus is equipped toreceive network traffic data for network traffic routed through a numberof routing devices with one or more degrees of separation from a networknode. The routing devices may or may not form a contiguous portion ofthe network. The network traffic data include at least network trafficdata for network traffic destined for the network node which meet atraffic type selection criteria and are routed by the routing devices tothe network node. The apparatus is further equipped to progressivelyregulate and de-regulate network traffic routing by the routing devicesbased at least in part on the received network traffic data and thedegrees of separation of the routing devices from the network node.Regulation extends from routing devices with the lowest degree ofseparation from the network node to routing devices with the highestdegree of separation, following in the reverse direction the routingpaths traversed by the packets to reach the network node. In oneembodiment, the extension or push back is made one degree of separationat a time. In one embodiment, deregulation follows the reverse path,whereas in another embodiment, deregulation is determined andimplemented locally, whenever regulation or the extent of regulation isno longer needed. In one embodiment, regulation is made in accordancewith a not-to-exceed profile, and the not-to-exceed limit or limits aredivided up as regulation extends away from the network node.

BRIEF DESCRIPTION OF DRAWINGS

The present invention will be described by way of exemplary embodiments,but not limitations, illustrated in the accompanying drawings in whichlike references denote similar elements, and in which:

FIG. 1 illustrates a topological view of an example network incorporatedwith the teachings of the present invention, including a director toregulate network traffics for a network node, in accordance with oneembodiment;

FIG. 2 illustrates a method view of the same invention, in accordancewith one embodiment;

FIG. 3 illustrates a functional view of the director of FIG. 1, inaccordance with one embodiment;

FIGS. 4-6 illustrate the operational flow of the relevant aspects of thesend/receive, analyzer and regulator functions of FIG. 3, in accordancewith one embodiment each;

FIGS. 7 a-7 c illustrate a number of sample data structures suitable foruse to practice the present invention for storing the topology androuting map of the network to be managed, the regulation limits imposedon the various routing devices, and the desired not-to-exceed networktraffic profile of the network node by network traffic types; and

FIG. 8 illustrates an example computer system suitable for use to host asoftware implementation of a sensor or the director, in accordance withone embodiment.

DETAILED DESCRIPTION OF THE INVENTION

In the following description, various aspects of the present inventionwill be described. However, it will be apparent to those skilled in theart that the present invention may be practiced with only some or allaspects of the present invention. For purposes of explanation, specificnumbers, materials and configurations are set forth in order to providea thorough understanding of the present invention. However, it will alsobe apparent to one skilled in the art that the present invention may bepracticed without the specific details. In other instances, well knownfeatures are omitted or simplified in order not to obscure the presentinvention.

Parts of the description will be presented in terms of operationsperformed by a processor based device, using terms such as receiving,analyzing, determining, instructing, and the like, consistent with themanner commonly employed by those skilled in the art to convey thesubstance of their work to others skilled in the art. As well understoodby those skilled in the art, the quantities take the form of electrical,magnetic, or optical signals capable of being stored, transferred,combined, and otherwise manipulated through mechanical and electricalcomponents of the processor based device; and the term processor includemicroprocessors, micro-controllers, digital signal processors, and thelike, that are standalone, adjunct or embedded.

Various operations will be described as multiple discrete steps in turn,in a manner that is most helpful in understanding the present invention,however, the order of description should not be construed as to implythat these operations are necessarily order dependent. In particular,these operations need not be performed in the order of presentation. Theterms “routing devices” and “route” are used throughout thisapplication, in the claims as well as in the specification. The terms asused herein are intended to be genus terms that include the conventionalrouters and conventional routing, as well as all other variations ofnetwork trafficking, such as, switches or switching, gateways, hubs andthe like. Thus, unless particularized, the terms are to be given thisbroader meaning. Further, the description repeatedly uses the phrase “inone embodiment”, which ordinarily does not refer to the same embodiment,although it may.

Overview

Referring now first to FIGS. 1-2, wherein two block diagramsillustrating a topological view of an example network to be managed fora network node in accordance with the present invention, and a methodview of the present invention, in accordance with one embodiment, areshown. As illustrated in FIG. 1, example network 100 to be managed for anetwork node, such as example server 110 includes a number of routingdevices 106 a-106 h coupled to each other and to server 110 as shown,for routing network traffics, including network traffics destined forserver 110, such as those originated from clients 108 a-108 b. Routingdevices 106 a-106 h have different degrees of separation from server110. Routing devices 106 a-106 b are said to be one degree separated orremoved from server 110, whereas routing devices 106 c-106 e are twodegrees separated or removed from server 110, . . . , and routingdevices 106 f-106 h are n degrees separated or removed from server 110.

[Note that the present invention is being described referencing thenetwork node on whose behalf regulation/deregulation is being made, asexample server 110, only for ease of understanding. The network node maybe a network node of any type, e.g. a point of entry to network 100.Further, routing devices 106 f-106 h may or may not be contiguous asillustrated.]

In accordance with the present invention, example network 100 is alsoprovided with director 102 to manage network traffic routing withinnetwork 100 to ensure a desired not-to-exceed network traffic profile ofserver 110 is adhered to. In one embodiment, the desired not-to-exceednetwork traffic profile is specified using one or more metrics, andpreferably by network traffic types. For example, at most 10% each ofthe incoming bandwidth to be used for TCP SYN packets and for DNSpackets, with remaining incoming bandwidth to be used by other TCPtraffic. Additional examples of profile metrics and traffic types aregiven in the later description to follow.

Director 102 manages network traffic routing within network 100 byregulating and de-regulating network traffic routing by routing devices106 a-106 h. Examples of regulation include, but are not limited to,rate limiting the excess traffic, decreasing priority of the excesstraffic, and re-routing the excess traffic. Re-routing may involvere-routing through different routing paths or even to differentdestinations. In one embodiment, regulation is progressively performedbased at least in part on the degrees the routing devices are separatedfrom server 100, following in the reverse direction the routing pathstraversed by the packets to reach the network node. That is, regulationis progressively applied extending from routing devices 106 a-106 b withthe lowest degree of separation from server 110 to routing devices 106f-106 h with the highest degree of separation from server 110, followingthe “traversed” routing paths in the earlier described reverse manner.In one embodiment, deregulation follows the reverse path of regulation.That is, deregulation is progressively removed from the outermostregulated subset, e.g. routing devices 106 c-106 e, then theintermediate regulated routing devices, and eventually, the regulatedrouting devices 106 a-106 b with the lowest degree of separation fromserver 110, following the routing paths traversed by the packets toreach the network node. In another embodiment, de-regulation isdetermined and implemented locally, whenever regulation or the extent ofregulation is no longer needed. In one embodiment, the extension andretreat are made at least at the granularity of the interface level,i.e. the ingress and egress interfaces of routing devices 106 a-106 h.In other words, regulation is first applied to the egress interfaces ofa routing device to be regulated, then to the ingress interfaces ofthese routing devices. Likewise, de-regulation is first made to ingressinterfaces of a routing device to be de-regulated, then to the egressinterfaces of the regulated routing device to be de-regulated. [Notethat the current outermost subset of regulated routing devices maystraddle different degrees of separation, as well as differentinterfaces of routing devices of the same degree of separation. Forexample, the current outmost subset of regulated routing devices mayinclude the ingress and egress interfaces of routing device 106 c, theegress interface of routing device 106 d, the ingress and egressinterfaces of routing device 106 a, and the egress interface of routingdevice 106 b.]

In one embodiment, as alluded to earlier, director 102 orchestrates theregulation and de-regulation by network traffic types. That is,different regulation and de-regulation are determined and orchestratedfor different network traffic types. In one embodiment, in addition tospecifying the “not-to-exceed” limits for the various network traffictypes, the desired “not-to-exceed” network traffic profile may alsospecify the operating margins for each of the network traffic type forregulation/de-regulation to start. For example, in the earlier describedexample where a 10% “not-to-exceed” limit is specified for TCP SYNpackets, an operating margin of 5% may also be specified for initiatingregulation/de-regulation, i.e. regulation is to start if the volume ofTCP SYN packets has exceeded 9.5% of the network traffic, andde-regulation may begin if the volume falls back below 9.5%. In apreferred embodiment, director 102 is equipped to employ a defaultoperating margin, e.g. 7.5%, if an operating margin is not specified. Inother embodiments, a stabilization time period may also be specifiedbefore de-regulation starts. For example, network traffic volume for aregulated network traffic type must drop below the regulation thresholdfor T minutes, before de-regulation will start. Employment of suchstabilization period has the advantage of preventing “oscillation”, i.e.frequent starting of regulation and de-regulation. Preferably, someamount of randomization is also introduced in the selection of T toreduce vulnerabilities to an attacker, who could otherwise predict whenderegulation will kick in.

For the illustrated embodiment, example network 100 further includes anumber of distributively disposed sensors 104 a-104 h correspondinglycoupled to routing devices 106 a-106 h to monitor and report to director102 on network traffic routed through the corresponding routing devices104 a-104 h. Director 102 determines and orchestrates the earlierdescribed regulation and optionally, de-regulation, based on the networktraffic routing data received, and the earlier described desired“not-to-exceed” network traffic profile of server 110. In oneembodiment, sensors 104 a-104 h are also used to deliver regulation andde-regulation instructions to routing devices 106 a-106 h for director102. Distributive regulation of network traffic, including sensors 104a-104 h and director 102 in general, is the subject of U.S. applicationSer. No. ______ (Express Mail number EL431686806US), entitled ADistributed Solution for Regulating Network Traffic, filed on Aug. 4,2000, having at least partial common inventorship with the presentinvention. The application is hereby fully incorporated by reference.

As described in the incorporated by reference application, in lieu ofbeing externally disposed and correspondingly coupled to routing devices106 a-106 h, sensors 104 a-104 h may monitor and report on the networktraffic routed through more than one routing device, as opposed to thecorresponding configuration illustrated for ease of understanding. Inyet other embodiments, some or all of sensors 104 a-104 h may beintegrally disposed within routing devices 106 a-106 h instead. Sensors104 a-104 h, whether externally disposed or integrally disposed, may becoupled to director 102 using any one of a number of communication linksknown in the art, such as modem links over conventional phone lines,Digital Subscriber Lines (DSL), Integrated Service Digital Network(ISDN) connections, Asynchronous Transfer Mode (ASM) links, Frame Relayconnections, and the like.

In one embodiment, sensors 104 a-104 h use an access control list (ACL),and commands associated therewith, such as “access-list” and “showaccess-list” to gather up the relevant data. Similarly, in oneembodiment, sensors 104 a-104 h use interface related commands such as“show interface rate-limit” and “rate-limit” to regulate and de-regulatean interface. These commands, including their operations andconstitutions, are known in the art. See product literatures fromrouting device manufacturers, such as CISCO Systems, Inc of San Jose,Calif.

In alternate embodiments, for certain routing devices, if supported, therelevant data gathered may also include “netflow” data. In otherembodiments, the relevant data may also be obtained through knownnetwork management services, such as Simple Network Management Protocol(SNMP), Remote Monitoring (RMON) or packet sampling (if one or more ofthese service are supported by the routing devices).

Example network 100 is intended to represent a broad range of private aswell as public networks or interconnected networks, such as theenterprise network of a multi-national corporation, or the Internet.Networking nodes, such as clients 108 a-108 b and server 110, are alsointended to represent a broad range of these elements known in the art.As alluded to earlier, routing devices 106 a-106 c are intended torepresent a broad range of network trafficking equipment, including butnot limited to conventional routers, switches, gateways, hubs and thelike.

While for ease of understanding, only one director 102, and a handfuleach of network nodes, clients 108 a-108 b and server 110, routingdevices 106 a-106 h and sensors 104 a-104 h (as well as limited numbersof ingress and egress interfaces for routing devices 106 a-106 h) areincluded in the illustration, from the description to follow, thoseskilled in the art will appreciate that the present invention may bepracticed with more than one director 102 as well as more or lessnetwork nodes, routing devices 106 a-106 h and sensors 104 a-104 c (aswell as more or less ingress/egress interfaces for routing devices 106a-106 h). If more than one director 102 is employed, each director 102may be assigned responsibility for a subset of sensors 104 a-104 h, andthe directors may relate to each other in a master/slave relationship,with one of the directors serving as the “master” (and the others as“slave”), or as peers to one another or organized into an hierarchy.

As illustrated in more details in FIG. 2, director 102 is first providedwith a desired “not-to-exceed” network traffic profile of server 110,and a topology and routing map of network 100, block 202. In addition tothe earlier described bandwidth metric, the “not-to-exceed” networktraffic profile of server 110 may also be specified using metrics suchas the number of bits per second (mbps), the number of packets persecond, or the number of flows per second, for each network traffic typeto be regulated. [A flow may e.g. be a unique traffic conversation asindicated by a combination of source and destination addresses (and forcertain protocol, port number also).] The topology and routing map maybe defined and specified by IT professionals associated with server 110using any one of a number of techniques known in the art. In alternateembodiments, the topology and routing map may be constructed by director102 instead (as opposed to having the map provided to director 102).Director 102 may enumerate the map by e.g. sampling routing paths ofnetwork traffics destined for server 110, identifying the routing pathsand the routing devices through which the network traffics are routed.At block 204, director 102 receives network traffic reports on thenetwork traffic routed through routing devices 106 a-106 h. For theillustrated embodiments, the reports are provided by distributivelydisposed sensors 104 a-104 h. In one embodiment, the reported datainclude various statistics and “characteristic” information describingthe network traffic routed through the ingress/egress interfaces ofrouting devices 106 a-106 h. In one embodiment, the reported datainclude destination information, allowing the amount of network trafficdestined for server 110 be discernable. In one embodiment, the reporteddata include network traffic types, allowing the type of network trafficbe discernable. In addition to the aforementioned TCP SYN and DSNpackets, network traffic types may further include Web, Real Networks,Secure Web, Other TCP, Other UDP, ICMP, TCP packets with ACK set, TCPpackets without SYN set, and so forth. In general, any informationcarried as part of the packets may be used as typing criteria to dividethe network traffic into different traffic types. Additionally, thereported data may also include volume of data from specific sourceaddresses passing through a routing device, volume of data with specificsource and destination address combinations, lengths of packets,distribution of Time To Live values, and so forth, i.e. whatever data isnecessary to support the employment of the desired “not-to-exceed”metrics.

At block 206, in response to the receipt of the reported data, director102 automatically determines whether network traffic routing in network100 needs to be (further) regulated or de-regulated (using the receiveddata, and the limits and operating margins specified in the earlierdescribed desired “not-to-exceed” network traffic profile). As describedearlier, in accordance with one aspect of the present invention,regulation/de-regulation is advantageously performed in a progressivemanner, thus if regulation (or further regulation) is needed, at block208, director 102 determines the regulation to be imposed on the routingdevices of the next degree of separation (along the reverse directionthe routing paths traversed by the packets to reach the network node).That is, if no regulation is in effect for any routing devices,regulation is determined for routing devices 106 a-106 b with one degreeof separation from server 110 (along the traversed routing paths). Asalluded to earlier, in one embodiment, regulation is determined at thegranularity of the interface level, i.e. the egress interfaces ofrouting devices 106 a-106 b. However, if e.g. regulation is already ineffect on both the ingress and egress interfaces of routing devices 106a-106 b, further regulation is determined for routing devices 106 c-106e with two degrees of separation from server 110. Again, in oneembodiment, regulation is determined for the egress interfaces ofrouting devices 106 c, 106 d and/or 106 e.

On the other hand, for the illustrated embodiment, if de-regulation (orfurther de-regulation) is needed, at block 210, director 102 determinesde-regulation for the “outermost” regulated subset. That is, if routingdevices 106 c-106 e (more specifically, their egress interfaces) are thefarthest removed (interfaces of) routing devices from server 110 beingregulated, director 102 determines de-regulation for (the egressinterfaces of) routing devices 106 c, 106 d, and/or 106 e. However, ifregulation has only been extended to (the egress interfaces of) routingdevices 106 a-106 b, director 102 determines de-regulation for (theegress interfaces of) routing devices 106 a and/or 106 b instead. Recallfrom earlier description, in alternate embodiments, de-regulation may bedetermined locally instead, and regulation may be moderated or lifted assoon as regulation is no longer needed, or the extent of regulation isnot needed.

In one embodiment, regulation involves apportioning the bandwidth of a“downstream” interface to its “upstream” interfaces, whereasde-regulation involves removal of the bandwidth limitation imposed on aninterface. In one embodiment, removal of imposed bandwidth limitationmay be performed in multiple iterations. For example, if an ingressinterface of server 110 has a bandwidth of z Mbps (for a network traffictype), and the two links feeding this ingress interface from the egressinterfaces of routing devices 106 a and 106 b may allocate up to y₁ andy₂ Mbps respectively (for the network traffic type), the egressinterfaces of routing devices 106 a and 106 b are rate limited toz×y₁/(y₁+y₂) and z×y₂/(y₁+y₂) Mbps respectively (for the network traffictype). In alternate embodiments, other manners of allocating bandwidthlimitation (for a network traffic type), as well as other forms ofregulation, such as the earlier mentioned rate limiting, prioritydecreasing, and re-routing, may be practiced instead. [For the purposeof this application, “downstream” refers to the network traffic flowdirection towards server 110, whereas “upstream” refers to the networktraffic flow direction away from server 110.]

Those skilled in the art will appreciate that the present invention is asuperior approach to the prior art approach of regulating networktraffic at the network node of interest, using e.g. a firewall.

For example, the present invention is particularly useful in protectinga network node from DoS attacks by regulating/limiting attack trafficwithin the network, so that it minimally interferes with the legitimateor desirable traffic. The present invention is also particularly usefulin averting “success disaster”, by causing load shedding of a particulartype of network traffic, e.g. TCP SYN, to avoid the appearance of aflash crowd at a network node, and to protect a network node fromcollateral damages caused by attacks on another network node.

At block 212, director 102 issues the regulation/de-regulationinstructions to routing devices 106 a-106 h to beregulated/de-regulated. For the illustrated embodiment, theregulation/de-regulation instructions are issued to the responsible onesof sensors 104 a-104 c, for “application” to routing devices 106 a-106h.

Director

Referring now to FIG. 3, wherein a functional view of the director, inaccordance with one embodiment is shown. As illustrated, director 102includes send/receive function 302, analyzer 304, and regulator 306,operatively coupled to each other as shown. Send/receive function 302 isemployed to receive network traffic data (e.g. reported by thedistributively disposed sensors), and to send regulation/de-regulationinstructions to the routing devices to be regulated (e.g. through thedistributively disposed sensors). Analyzer 304 analyzes the networktraffic data reported (in view of the desired “not-to-exceed” profile ofserver 110) to determine if regulation/de-regulation actions need to betaken, and alerts regulator 306 accordingly. Regulator 306 is used todetermine the specific progressive regulation/de-regulation actions tobe taken.

FIGS. 4-6 illustrate the operational flow of the relevant aspects of thesend/receive, analyzer and regulation functions 302-306, in accordancewith one embodiment each. As illustrated in FIG. 4, for the send/receivefunction, upon start up, it determines if there are network traffic datato be received (e.g. from the distributively disposed sensors), block402. If there are, send/receive function 302 receives the networktraffic data being reported accordingly. If there are not, send/receivefunction 302 determines if there are regulation/de-regulationinstructions to be sent (e.g. to the distributively disposed sensors).If there are, send/receive function 302 sends the regulation/regulationinstructions accordingly. If there are not, send/receive function 302returns to block 402 to determine if there are data to be receivedagain.

As illustrated in FIG. 5, upon start up, analyzer 304 selects a networktraffic type to be monitored, block 504. Analyzer 304 further determinesif regulations are being administered for the network traffic type,block 506. If network traffics of the particular type destined forserver 110 are being regulated, analyzer 304 further determines if thenetwork traffics of the particular type are still exceeding the marginof the “not-to-exceed” limit (i.e. further regulation is needed), or thenetwork traffics of the particular type have fallen back below themargin of the “not-to-exceed” limit (for a specified stabilizationperiod), i.e. de-regulation may start, block 508. If network traffics ofthe particular type are adhering to the desired “not-to-exceed” profile(but not fallen below the operating margin), no actions are taken. Ifthe network traffics of the particular type remain non-adhering to thedesired “not-to-exceed” profile or have fallen below the operatingmargin of the “not-to-exceed” limit (for the required stabilizationduration), analyzer 304 notifies/alerts regulator 306 accordingly, block512. Back at block 506, if regulation is not in progress, analyzer 310determines if network traffics of the particular type have exceeded themargin of the “not-to-exceed” limit, 508. If network traffics of theparticular type have not reached or surpassed the margin of the“not-to-exceed” limit, no actions are taken. If network traffics of theparticular type have reached or surpassed the margin of the“not-to-exceed” limit, analyzer 304 notifies/alerts regulator 306accordingly, block 512.

Analyzer 304 repeats this process for each network traffic type to beregulated for server 110.

As illustrated in FIG. 6, upon receipt of an alert, regulator 306determines if the alert is for (further) regulation or de-regulation,block 602. If the alert is for (further) regulation, regulator 306examines the regulation metrics (e.g. bandwidths or mbps, etc.) of thenext upstream set (of interfaces) of the routing devices, block 606.Further, regulator 306 determines the regulation (e.g. bandwidthallocation, rate limiting etc.), block 608. Upon making thesedeterminations, regulator 306 provides the regulation instructions tothe routing devices to be regulated accordingly (e.g. through thesensors), block 614. On the other hand, if the alert is forde-regulation, regulator 306 selects and examines the outermostregulated subset for de-regulation, 610. Further, regulator 306determines the level of de-regulation (bandwidth restoration, rate limitrelaxation etc.), block 612. Upon making these determinations, regulator306 provides the de-regulation instructions to the routing devices to bede-regulated accordingly (e.g. through the sensors), block 614.

Data Structures

FIGS. 7 a-7 c illustrate a number of example data structures suitablefor use to store the data associated with the topology map, the desired“not-to-exceed” profile for network traffic type, and the regulationbeing imposed on the routing devices, for practicing the presentinvention.

Illustrated in FIG. 7 a is example link list 700 enumerating thetopology of network 100, by linking together a number of networknode/routing device records 702, using pointers 708. For the particularembodiment, the enumeration starts from network node or server 110. Apointer 708 is employed to point to the record 702 of each of the“upstream” (routing) devices. In each record 702, in addition to anidentifier 704 of the device, and the pointers 708 to the upstreamdevices, record 702 also includes a count 706 of the number of upstreamdevices. In alternate embodiments, other data structures may also beemployed to represent the topology of network 100.

Illustrated in FIG. 7 c is example table 720 specifying the desired“not-to-exceed” network traffic profile for a number of network traffictypes for a number of servers. Table 720 includes a number of columns,in particular, column 722 for storing the identifiers of the servers, onwhose behalf, a network is to be regulated. Table 720 further includescolumn 724 for storing IP addresses of the servers. Table 720 furtherincludes columns 725 a-725 n and columns 726 a-726 n for storing thenetwork traffic types, and their corresponding “not-to-exceed” limits,such as TCP SYN packets with a limit of 10%, as described earlier, forthe various servers. In different embodiments, additional columns 728may also be employed to store other related data.

Illustrated in FIG. 7 b is example table 710 specifying the regulationin effect for the various interfaces of the routing devices of thenetwork being regulated. Table 710 includes columns 712, 713 and 714 forstoring the identifiers of the routing devices, their IP addresses, andidentifiers of their ingress/egress interfaces. Table 710 furtherincludes columns 715 and 716 a-716 n for storing the addresses of thenetwork nodes whose traffics are to be regulated, and the regulations(i.e. bandwidth allocation, rate limit etc.) currently imposed on thevarious interfaces of the routing devices for the various networktraffic types of the network nodes. In different embodiments, additionalcolumns 718 may also be employed to store other related data.

In general, as those skilled in the art would appreciate, in alternateembodiments, other equivalent data structures may also be employed tostore these data to practice the present invention.

Example Host Computer System

FIG. 8 illustrates an example computer system suitable for use as eithera host to a software implementation of a sensor, or the director inaccordance with one embodiment. As shown, computer system 800 includesone or more processors 802 (typically depending on whether it is used ashost to sensor or the director), and system memory 804. Additionally,computer system 800 includes mass storage devices 806 (such as diskette,hard drive, CDROM and so forth), input/output devices 808 (such askeyboard, cursor control and so forth) and communication interfaces 810(such as network interface cards, modems and so forth). The elements arecoupled to each other via system bus 812, which represents one or morebuses. In the case of multiple buses, they are bridged by one or morebus bridges (not shown). Each of these elements perform its conventionalfunctions known in the art. In particular, system memory 804 and massstorage 806 are employed to store a working copy and a permanent copy ofthe programming instructions implementing the sensor/director teachingsof the present invention. The permanent copy of the programminginstructions may be loaded into mass storage 806 in the factory, or inthe field, as described earlier, through a distribution medium (notshown) or through communication interface 810 (from a distributionserver (not shown). The constitution of these elements 802-812 areknown, and accordingly will not be further described.

CONCLUSION AND EPILOGUE

Thus, it can be seen from the above descriptions, a novel method andapparatus for progressively and distributively regulating andde-regulating selected network traffic destined for a network node hasbeen described. The novel scheme enables the quality of service providedby the network to the network node and its clients to be ensured,including nullification of denial of service attacks.

While the present invention has been described in terms of the aboveillustrated embodiments, those skilled in the art will recognize thatthe invention is not limited to the embodiments described. The presentinvention can be practiced with modification and alteration within thespirit and scope of the appended claims. For examples, as alluded toearlier, the present invention may be practiced with more or lesssensors, more directors, and so forth. Thus, the description is thus tobe regarded as illustrative instead of restrictive on the presentinvention.

1-26. (cancelled)
 27. A method comprising: receiving network trafficdata b) reports including network traffic type information, for networktraffic routed through a plurality of routing devices and destined for anetwork node; and regulating network traffic routing, in response to adenial of service attack on said network node, by network traffic typeby said routing devices based at least in part on said received networktraffic reports and said network traffic type information.
 28. Themethod of claim 27, wherein said regulating comprises determining ifrouting of network traffic of a network traffic type by said routingdevices needs: needs to be regulated; or, if regulation is already inprogress, needs a change in the regulation.
 29. The method of claim 27,wherein said regulating comprises regulating said routing devicesthrough at least a selected one of bandwidth allocation, rate limiting,traffic re-prioritization, and re-routing.
 30. The method of claim 27,wherein the method further comprises de-regulating network trafficrouting by network traffic types by said routing devices based at leastin part on said received network traffic data by network traffic types.31. The method of claim 30, wherein said de-regulating comprisesdetermining if regulation imposed on routing of network traffic of anetwork traffic type by said routing devices needs to be de-regulated.32. The method of claim 30, wherein said de-regulation comprisesde-regulating at least a selected one of bandwidth allocation, ratelimiting, traffic re-prioritization, and re-routing regulation imposed.33. The method of claim 27, wherein said regulating of network trafficrouting by network traffic type by said routing devices is to beperformed further based on a desired not-to-exceed profile of networktraffic by network traffic type to be routed to said network node.34-46. (cancelled)
 47. An apparatus comprising: (a) storage mediumhaving stored therein a plurality of programming instructions designedto enable the apparatus to receive network traffic data by networktraffic types for network traffic routed through a plurality of routingdevices, including at least network traffic data by network traffictypes for network traffic destined for a network node routed by saidrouting devices to said network node; and to regulate network trafficrouting by network traffic types by said routing devices based at leastin part on said received network traffic data by network traffic types;and (b) at least one processor coupled the storage medium to execute theprogramming instructions.
 48. The apparatus of claim 47, wherein saidprogramming instructions enable the apparatus to determine if routing ofnetwork traffic of a network traffic type by said routing devices needs:needs to be regulated; or, if regulation is already in progress, needs achange in the regulation.
 49. The apparatus of claim 47, wherein saidprogramming instructions enable the apparatus to regulate said routingdevices through at least a selected one of bandwidth allocation, ratelimiting, traffic re-prioritization, and re-routing.
 50. The apparatusof claim 47, wherein said programming instructions further enable theapparatus to de-regulate network traffic routing by network traffictypes by said routing devices based at least in part on said receivednetwork traffic data by network traffic types.
 51. The apparatus ofclaim 50, wherein said programming instructions enable the apparatus todetermine if regulation imposed on routing of network traffic of anetwork traffic type by said routing devices needs to be de-regulated.52. The apparatus of claim 50, wherein said programming instructionsenable the apparatus to de-regulate at least a selected one of bandwidthallocation, rate limiting, traffic re-prioritization, and re-routingregulation imposed.
 53. The apparatus of claim 47, wherein saidprogramming instructions enable the apparatus to further base saidregulating of network traffic routing by network traffic type by saidrouting devices on a desired not-to-exceed profile of network traffic bynetwork traffic type to be routed to said network node.